DSAR Requirements in Maryland (MODPA)
Maryland DSAR requirements: consumer rights, response deadlines, identity verification, and penalties under the MODPA.
Last updated: 2026-02-08
Consumer Rights That Trigger DSARs
Maryland consumers can submit requests to:
- Access all personal data you hold about them
- Correct inaccurate personal data
- Delete personal data you collected
- Port their data in a portable, machine-readable format
- Opt out of the sale of personal data
- Opt out of targeted advertising
- Opt out of profiling that produces legal or similarly significant effects
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
Response Deadline
45 days from receipt. You can extend by only 15 days (shorter extension than most states) — and you must notify the consumer of the extension and the reason within the initial 45-day window.
Identity Verification
Required before fulfilling any request. The MODPA does not prescribe a specific verification method.
Appeal Process
If you deny a request, the consumer can appeal. You must respond to appeals within 45 days. You must provide notice of their right to contact the Maryland Attorney General if the appeal is denied.
Penalties
- $10,000 per violation
- $25,000 per violation for pattern or practice violations
- 60-day cure period available until April 1, 2027
- No private right of action — only the Attorney General can enforce
Enforced by the Maryland Attorney General (Division of Consumer Protection).
DSAR-Specific Exemptions
You may decline or limit a request when the data is needed to:
- Comply with a legal obligation
- Detect security incidents or protect against fraud
- Complete a transaction the consumer requested
Maryland is notable for prohibiting the sale of sensitive data entirely — not just requiring opt-in consent. Sensitive data includes racial/ethnic origin, religious beliefs, health information, sexual orientation, gender identity, and children's data.
Who This Applies To
Businesses that process personal data of 35K+ Maryland consumers or 10K+ consumers with 20%+ revenue from data sales. These are among the lowest thresholds in the country.
For the full Maryland privacy law guide, see boringgovernance.com.
Related Guides
- How to Respond to a DSAR — response process
- DSAR Response Deadlines — all deadlines
- DSAR Identity Verification — verification methods
- DSAR Exemptions — when you can refuse